We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Wacatac.B!ml
Aliases: No associated aliases
Summary
Trojan:Win32/Wacatac.B!ml represents an ongoing and adaptable threat to Windows. It functions primarily as a trojan, acting as a versatile tool for threat actors to steal information, download additional harmful software, or create a backdoor for ransomware. Since its significant rise in activity around 2020, the threat has relied heavily on social engineering for its initial access. Threat actors often bundle Wacatac with cracked software, pirated media, or distribute it through phishing emails disguised as routine business messages. Once a user launches the file, the malware uses packing and encryption to hide its code.
The core risk of this malware is its deep integration with the Windows device. It modifies registry keys, tampers with Windows files, and can even change Group Policy settings to deactivate security tools and ensure it survives a reboot. Because of its modular build, a single infection can lead to stolen credentials, exfiltrated personal data, or a full network compromise through the installation of remote access tools. This report breaks down the technical workings, specific forensic evidence left behind, and the step-by-step response needed to handle this persistent threat.
- Disconnect the device from the internet and your local network. Unplug the Ethernet cable or turn off Wi-Fi. This cuts the link to the C2 server.
- Log out of all cloud-synced accounts from other devices to prevent the malware from syncing infected files to the cloud.
- Standard scans within Windows can be tricked by the malware. Use Microsoft Defender Offline. This tool restarts the device and scans before the Windows system files, or any malware can load, making it much more effective at finding stubborn threats.
- After the offline scan, run the Microsoft Safety Scanner from another clean device. This helps catch any stragglers the first scan might have missed.
- If automated tools struggle, restart the device in Safe Mode. This stops non-essential programs and drivers from loading, which often deactivates the malware self-protection features.
- Open Task Manager and end any suspicious processes that lack proper digital signatures or are using too much CPU power.
- Open Registry Editor. Carefully go to the Run and RunOncekeys and delete any entries that point to suspicious files in the AppData folder. Also, check the exefile\shell\open\command key and restore it to its default Windows value if it has been hijacked.
- Use File Explorer to manually delete the suspicious folders you identified, like those in AppData or the startup directory. Clear out your temporary folders using the Disk Cleanup tool.
- Open the Group Policy Editor or the Windows Security app and make sure Microsoft Defender is activated and real-time protection is turned back on. The malware often turns these off.
- If the device is still unstable or if ransomware has encrypted your files, the safest course of action is to back up personal files from a verified clean backup and perform a clean installation of Windows.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
